Monday October 26, 2020
Protecting Your Data from Phishing Scams
IRS Commissioner Chuck Rettig stated, "The coronavirus has created new opportunities for cybercriminals to use email to try stealing sensitive information. The vast majority of data thefts start with a phishing email trick. Identity thieves pose as trusted sources – a client, your software provider or even the IRS – to lure you into clicking on a link or attachment. Remember, don't take the bait. Learn to recognize and avoid phishing scams."
The Security Summit emphasized four general phishing strategies. These include an urgent message, a delayed notice, COVID–19 fears and posing as a client.
1. Urgent message
A common phishing scam is to send a message that appears to be urgent. It may claim to be from one of the victims' financial institutions and explains that an account password or log in information has expired. The victim is directed to click on the link to restore account data. The phishing email often comes from a site that is one letter or number different from the official website. When the user clicks on the link, malware will be installed on the computer, which enables the thief to steal personal information and passwords.
2. Delayed notice
After the thief has installed malware on a computer, he or she may delay taking action for a period of time. One tax preparation firm had thieves on their network for 18 months without any indication. The thieves downloaded and accessed taxpayer information during that entire timeframe prior to the discovery of the information technology breach.
3. COVID–19 Fears
Another common phishing attack is for the fraudster to claim to be a provider of face masks or personal protective equipment (PPE). The scammer explains that the face masks or PPE are in such short supply that you need to order immediately from his or her organization. When you click to order, the scammer loads malware on your computer.
4. Posing as a client
Many tax professionals are in daily communication with large numbers of existing clients. A fraudster may hack the email account of a client and then send an email to the tax professional. The tax professional may be expecting contact from that client and does not realize that the email has been sent from a different web site or server. When the tax professional clicks on a link, malware is downloaded. Tax professionals are urged by the Security Summit to make contact with clients by phone or video conference if they receive a suspicious email.
Everyone needs to be aware of the risk of phishing emails. Most successful fraudster attacks start with a phishing email. Tax professionals must continually educate their staff on the "dangers and risks of opening suspicious emails – especially during the COVID-19 period."
Additional security recommendations are available in IRS Publication 4557, Safeguarding Taxpayer Data and in the Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology.